Cybersecurity researchers have uncovered a new ransomware-as-a-service (RaaS) operation known as GLOBAL GROUP, which has been targeting various sectors across Australia, Brazil, Europe, and the United States since it surfaced in early June 2025.
According to Arda Büyükkaya, a researcher at EclecticIQ, the operation was promoted on the Ramp4u forum by a threat actor using the alias "$$$." This same actor also oversees the BlackLock RaaS and previously managed the Mamona ransomware campaign.
Investigators believe that GLOBAL GROUP is a rebranded version of BlackLock, which itself was a rebrand of Eldorado. The rebranding likely followed an incident in March when BlackLock’s data leak site was defaced by the DragonForce ransomware cartel.
GLOBAL GROUP has been linked to financially motivated cyberattacks and relies heavily on initial access brokers (IABs) to gain entry into targeted systems. These brokers provide access to vulnerable network devices from vendors like Cisco, Fortinet, and Palo Alto Networks. The group also uses brute-force tools to compromise Microsoft Outlook and RDWeb portals. Using Remote Desktop Protocol (RDP) or web shell access to networks, especially those of law firms. GLOBAL GROUP is able to deploy post-exploitation tools, move laterally within systems, exfiltrate data, and execute ransomware attacks.
This approach allows affiliates to focus more on payload deployment, ransom demands, and negotiations rather than handling the initial network compromise. The platform includes a negotiation portal and an affiliate dashboard, where cybercriminals can manage victims, generate payloads for systems such as VMware ESXi, NAS, BSD, and Windows, and track their operations. To attract affiliates, the group offers a revenue-sharing model that allows them to retain 85 percent of collected ransoms.
A Dutch security firm reported that GLOBAL GROUP’s negotiation system uses AI-powered chatbots, enabling affiliates who do not speak English to communicate with victims more effectively.
As of July 14, 2025, GLOBAL GROUP has claimed responsibility for 17 attacks. Its victims include organizations in sectors such as healthcare, oil-and-gas equipment manufacturing, industrial machinery, precision engineering, auto repair, accident recovery, and business process outsourcing.
Connections to BlackLock and Mamona are evident in the use of the same Russian VPS provider, IpServer, and shared source code elements with Mamona. Researchers note that GLOBAL GROUP builds on Mamona’s capabilities by adding new features that allow ransomware to be deployed across entire domains. The malware itself is developed in Go, similar to BlackLock.
Büyükkaya described the creation of GLOBAL GROUP as a calculated move by BlackLock’s administrator to modernize operations, diversify income streams, and remain competitive in the evolving ransomware landscape. The operation includes tools such as mobile-compatible panels, AI-supported negotiation, and customizable ransomware builders to appeal to a broader network of affiliates.
The findings were released alongside data showing that the Qilin ransomware group was the most active RaaS operator in June 2025, with 81 known victims. Other notable groups included Akira with 34 victims, Play with 30, SafePay with 27, and DragonForce with 25.
CYFIRMA reported that SafePay saw the sharpest drop in activity at 62.5 percent, while DragonForce experienced a surge in attacks of over 200 percent.
Overall, the number of ransomware victims fell from 545 in May to 463 in June 2025, a 15 percent decrease. February recorded the highest number of cases this year with 956 victims. Still, experts from the NCC Group noted that despite the drop, rising geopolitical tensions and prominent cyberattacks indicate increasing global cyber instability.
Data from Optiv’s Global Threat Intelligence Center (gTIC) revealed that 314 ransomware victims were listed on 74 data leak sites during the first quarter of 2025, marking a 213 percent rise compared to earlier periods. Researchers identified 56 different ransomware variants during the first quarter of 2024.
Optiv’s Emily Lee added that attackers continue to rely on proven methods to breach systems, including phishing, exploiting software vulnerabilities, targeting insecure or exposed applications, launching supply-chain attacks, and leveraging the IAB community for access.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
